From patchwork Tue Jun 20 21:40:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9800307 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 10F6360329 for ; Tue, 20 Jun 2017 21:40:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EED7A22AFC for ; Tue, 20 Jun 2017 21:40:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E37BD28323; Tue, 20 Jun 2017 21:40:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 04B1222AFC for ; Tue, 20 Jun 2017 21:40:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752165AbdFTVk2 (ORCPT ); Tue, 20 Jun 2017 17:40:28 -0400 Received: from mail-pf0-f170.google.com ([209.85.192.170]:34015 "EHLO mail-pf0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752132AbdFTVk0 (ORCPT ); Tue, 20 Jun 2017 17:40:26 -0400 Received: by mail-pf0-f170.google.com with SMTP id s66so75198676pfs.1 for ; Tue, 20 Jun 2017 14:40:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=itJAlvunF6lLtd0MBJ+XunM4arFU8kCJC6uiCgAdbc4=; b=NKf3H9HVV2RwPDU1Ng9lc7S5zYyiqrOUNhwtDjK/Oq5xT+wtO7JdQtAl4H5eEtbMu9 JUHSiM7j286Al3u46IL0gpz+7cO0HyN9pk17ZRBE/CaWu2RVsFRcE8cLPnzImWg+qcsR S9WqgD0yZKUlI9fxk+AxdBiyAfD6yD3BQoemQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=itJAlvunF6lLtd0MBJ+XunM4arFU8kCJC6uiCgAdbc4=; b=ljAeVtL2zHXHq5XWjvHkg3JMxpw1GE3/tF4vldpia66y/gOKFuxbQlrr8guWSADnEF bLzEwBmefK/2wGD3Mc2ycFQ93DPKHX54T6DIr0Bsj2aEjkJd5Y+23874zEv119htL+Ei xjmdPxxmhDXJkqp93UN6V0j5vNT0BOvsmArviNu86bVGN6sHbBmy/MVzYu/UunlvNwvK zqGKJpyR6vD6GSV9lzH/AvalI2DQEuuwWQuIUhuahJyJe2jJ5uwEnoMlqAHeqtuwXQQV gydUmX6sVxfMCEGDoYjoMkkp22NykmlmwaYWLOGpM6ejzJQYG0XTxfI2OARuP0hXdgXv H3vg== X-Gm-Message-State: AKS2vOx+77fEmOWW/2UqoGpcUe2ey/z3gtgfj2mog53cRon+TTtL6QaL rJGmtIMawy90wO2p X-Received: by 10.99.134.72 with SMTP id x69mr24540878pgd.210.1497994826221; Tue, 20 Jun 2017 14:40:26 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id r81sm7295262pfi.61.2017.06.20.14.40.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Jun 2017 14:40:25 -0700 (PDT) Date: Tue, 20 Jun 2017 14:40:24 -0700 From: Kees Cook To: Alexander Viro Cc: Solar Designer , "Serge E. Hallyn" , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] fs: Reorder inode_owner_or_capable() to avoid needless Message-ID: <20170620214024.GA121654@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Checking for capabilities should be the last operation when performing access control tests so that PF_SUPERPRIV is set only when it was required for success (implying that the capability was needed for the operation). Reported-by: Solar Designer Cc: Serge E. Hallyn Cc: Andy Lutomirski Signed-off-by: Kees Cook Acked-by: Serge Hallyn Reviewed-by: Andy Lutomirski --- fs/inode.c | 2 +- fs/namei.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index db5914783a71..7092debe90cc 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2023,7 +2023,7 @@ bool inode_owner_or_capable(const struct inode *inode) return true; ns = current_user_ns(); - if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid)) + if (kuid_has_mapping(ns, inode->i_uid) && ns_capable(ns, CAP_FOWNER)) return true; return false; } diff --git a/fs/namei.c b/fs/namei.c index 6571a5f5112e..efe53a5d0737 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1008,7 +1008,7 @@ static int may_linkat(struct path *link) /* Source inode owner (or CAP_FOWNER) can hardlink all they like, * otherwise, it must be a safe source. */ - if (inode_owner_or_capable(inode) || safe_hardlink_source(inode)) + if (safe_hardlink_source(inode) || inode_owner_or_capable(inode)) return 0; audit_log_link_denied("linkat", link);